THE QUANTUM BIT COMMITMENT: A COMPLETE 
CLASSIFICATION OF PROTOCOLS 



GIACOMO MAURO D'ARIANO 
Quantum Optics & Information Group of the INFM 
Dipartimento di Fisica "A. Volta", via Bassi 6, 1-27100 Pavia, Italy 

Department of Electrical and Computer Engineering, 
Northwestern University, Evanston, IL 60208 

This paptHj addresses tlie controversy between Mayers, Lo and ChauEl on one side, 
and Yueno on tlie opposite side, on whetlier there exist or not unconditionally 
secure protocols. For such purpose, a complete classification of all possible bit 
commitment protocols is given, including all possible cheating attacks. For the 
simplest class of protocols (non-aborting and with complete and perfect verifica- 
tion), it is shown how naturally a game-theoretical situation arises. For these 
protocols, bounds for the cheating probabilities ar«-<ierived, which turn out to be 
different from those given in the impossibility prooi|]J. The whole classification and 
analysis has been carried out using a finite open system approach. The discrepancy 
with the impossibility proof is explained on the basis of the implicit adoption of a 
closed system approach — equivalent to modeling the commitment as performed by 
two fixed machines interacting unitarily in a overall closed system. However, it is 
shown that the closed system approach for the classification of commitment proto- 
cols unavoidably leads to infinite dimensions, which then invalidate the continuity 
argument at the basis of the impossibility proof. 



1 Introduction 

It is of practical relevance to establish if there exist secure quantum bit com- 
mitment protocols, since the quantum bit commitment is a crucial element 
to build up more sophisticated protocols, such as remote quantum gambling, 
coin tossing, and unconditionally secure two-party quantum computation. 

In the bit commitment Alice provides Bob with a piece of evidence that 
she has chosen a bit 6 = 0, 1 which she commits to him. Later, Alice will open 
the commitment, revealing the bit b to Bob, and proving that it is indeed 
the committed bit with the evidence in Bob's possession. Therefore, Alice 
and Bob should agree on a protocol which satisfies simultaneously the three 
requirements: (1) it must be concealing, namely Bob should not be able to 
retrieve h before the opening; (2) it must be binding, namely Alice should not 
be able to change b after the commitment; (3) it must be verifiable, namely 
Bob must be able to check b against the evidence in his possession, according 
to the rules of the protocol. In a in-principle proof of security of the com- 
mitment it is supposed that both parties possess unlimited technology, e. g. 
computational power, space, time, etc., and the protocol is said uncondition- 
ally secure if neither Alice nor Bob can cheat with significant probability of 
success as a consequence of physical laws. 

In 1993, a quantum mechanical protocol was proposedEI, and the uncondi- 
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tional security of this protocol has been generally accepted for-Jong time. The 
insecurity of this protocol was shown by Mayers, Lo and ChauEJ in 1997, where 
it was recognized the possibility for Alice to cheat by entangling the commit- 
ted evidence with a quantum system in her possession, and it was argued 
that no unconditionally secure protocol is possible. Finally after 2000 Yuena 
presented some protocols which challenged the previous impossibility proof, 
mostly on the basis of the possibility of encoding the bit on an anonymous 
state given to Alice by Bob and known only to him, and suggesting the use 
of decoy systems that make the protocol concealing in the limit of infinitely 
many systems, with the possibility for Bob of performing his quantum mea- 
surement before Alice opening, whence disputing the general availability of 
EPR cheating for Alice. 

In this paper, in order to provide clarifications on the controversy we 
will present a classification of all possible bit commitment protocols based on 
a single commitment step, analyzing the main cheating strategies for both 
parties (a full derivation of the classification, the reduction of multi-step com- 
mitments to a single step, and a more exhaustive analysis of cheating attacks 
can be found in Ref. [Q, of which the present paper is a much shorter ver- 
sion). For the simplest class of protocols (non-aborting, with complete and 
perfect verification) we will show how naturally a game-theoretical situation 
arises. Bounds for the cheating probabilities of these protocolSjare presented, 
which are different from those given in the impossibility proolEl. In the final 
discussion we will see how the discrepancy between the two opposite analysis 
arises, due to the implicit adoption in the impossibility proof of a closed sys- 
tem approach, equivalent to modeling the commitment as performed by two 
fixed machines interacting unitarily in a overall closed system. However, it is 
shown that such modeling, along with the requirement of unlimited technol- 
ogy, necessarily lead to infinite dimensions, which invalidate the continuity 
argument at the basis of the impossibility proof. 

2 The classification of protocols 

The most general bit commitment scheme with a single step is of the form: (1) 
Bob prepares the Hilbert space H with the anonymous state \ip) e H, and sends 
H to Alice; (2) Alice modulates the value 6 = 0, 1 of the committed bit on the 
anonymous state \ip) and sends the output back to Bob. The bit modulation 
is a quantum operation (QO) M*^^^ parametrized by b. Such scheme contains 
all possibilities, including Yuen's protocolaj, and the protocols considered by 
Mayers, Lo and Chaiu, which correspond to openly known \(p). In general the 
output Hilbert space K of the QO will be different from H, since Alice can 
send back to Bob a quantum system different from what he sent to her. 

In Ref.jJ] a complete classifications of all possible protocols is derived, on 
the basis of the fact that since Alice has unlimited technology, she can always 
achieve the encoding QO's M*^^-' of the committed bit value b via a perfect pure 



2 



measurement. For non aborting protocols, this corresponds to the following 
QO's 

M^'\\ip){^\)=Tir^p[U^'\\^){^\®\Lu){u;\^®pp)U^''% (2.1) 

where A is the preparation ancilla/decoy Hilbert space prepared in the state 
\uj); F is the measurement ancilla Hilbert space on which Alice performs a 
complete von Neumann measurement, and we have that K (g) F ~ H (g) A; 
P is the space of the secret parameter, say j, which is needed in order to 
make the protocol concealing and at the same time verifiable (so that the 
modulation is actually a choice between two ensembles of QO's {M^'''} for 
6 = 0,1). Therefore, the best option for Alice is to achieve the encoding 
QO by preparing the ancilla/decoy state |ci;)A G A, performing the unitary 
transformation U^''^ on H(g)A, making a complete von Neumann measurement 
on F, with outcome say i, and finally send K to Bob. The partial trace on F(g)P 
on the basis {|z) (g which describes Alice's measurement, corresponds to 
the Kraus decompositions M^^^ — P , i?,-!'^ • eI'^^\ where j is the secret 
parameter and i is the secret outcome, and the probabilities pj = (j|pp|j) for 
j will depend on the preparation pp. In a protocol which is completely and 
perfectly verifiable Alice tells b, j and i to Bob, who verifies the state E^^^\i^). 
Since the local QO's on K and F g) P commute, Alice has the possibility of: 
(1) first sending K to Bob; (2) then performing the measurement on F (g) P 
at the very last moment of the opening. As we will see, this is the basis for 
Alice EPR cheating attacks. Notice that strictly trace-decreasing QO's — i. e. 
aborting protocols — pose limitations to Alice's EPR cheating. In fact, Alice 
cannot delay the abortion of the protocol at the opening, and must declare it 
at the commitment. Since both secret parameters j and i can be conveniently 
measured by Alice, they can be treated on equal footings as a single parameter 
J = {j,i). With the notation E^p = ^/Pj^fi ^ ^(H, K), the maps write 

3 J 

3 Cheating 

For a discussion of all possibilities of cheating see Ref. jj] . Here we analyze 
the only the useful attacks by both Alice and Bob. 

Alice cheating. After the commitment and before the opening Alice can 
try to cheat by performing a unitary transformation V on F (g P: this is the 
so-called EPR attack. Without changing the QO's M^^^ the maneuver will 
change their Kraus decompositions — which are relevant at the opening — as 
{E^} {e''j\v)}, keeping the cardinality, in the following way 

eP{V) = Y,e'^PVjl, Vjl^{J\V\L). (3.3) 

L 
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The probability that AUce can cheat successfully in pretending having 
committed, say, b — 1, whereas she committed b — instead, is given by 

,.,,,^,.^K^I»MP, ,3.) 

J VIr 

and depends on the anonymous state \ip) and on the cheating transformation 
V. Without any knowledge of \(p), the best that Alice can do is to adopt a 
conservative strategy, by maximizing her probability of cheating in the worst 
case, corresponding to the minimax choice of V 

{P,^)^^maxmmP,^{V,^). (3.5) 

V f 

It is evident that in this way a game theoretical situation arises, in which Bob 
choses \(p) and Alice choses V, with the probability P{V,ip) playing the role 
of a payoff matrix. The actual game situation is more complicated — due for 
example to Bob cheating — and will be analyzed elsewhere. 

Bob cheating. Bob can try to cheat by making the best discrimination 
between the two maps M('') = J2jPj^?- However, since he doesn't know the 
probabilities pj actually used by Alice, his strategy will be suboptimal, and 
his actual cheating probability will be lower than the probability {Pf)opt 
corresponding to the optimal strategy with the right probabilities pj . Since 
map-discrimination is generally more reliable with the map acting locally on 
an entangled stateO, instead of preparing G H Bob prepares an entangled 
state on H (g) R and sends only H to Alice. Therefore, for equally probable bit 
values 5 = 0, 1, Bob's optimal probability of cheating is bounded as followaJ 

< (Pf )opt = ^ + ^ mW-M(°) , (3.6) 

z 4 CO 

where denotes the completely bounded (CB) norm. 

Bounds for cheating p rob abilities. If the protocol is perfectly con- 
cealing the CB-norm in Eq. ( |3.6|) is zero, and the two maps arc the same, 
whence the their Kraus arc connected via a unitary transformation V on 
F (X) P, and Alice can cheat with probability one. Let's consider now the case 
in which Bob's optimal probability of cheating {P^)opt is infinitesimally close 
to ^, namely ||M*^^) — M'^*'^||c& = e. Notice that generally e is vanishing for in- 
creasing dimension of K (such as when the approximately concealing condition 
is achieved for increasingly large number of decoy systemg3), and no obvious 
continuity argument can be invoked to assert that Alice cheating probability 
will approach unit for vanishing e. More precisely, in the present context the 
continuity argument of Ref. [Q| would imply that 

1 - (Pf))^ - M(*^) ) , lim w(e) = (3.7) 

with the function Lu{e) independent on the dimension of K. However, using 
anonymous states such assertion may turn out to be false. In fact, it is obvious 
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that if there is an alternate Kraus decomposition {Ej (V)} for the map M^^^^ 
such that the two Kraus {Ef\v)} and {E^'j^} a^e close, then the protocol is 
approximately concealing and not binding, since 



{Pc)opt - 



1 

< - 

cb~ 2 



\ 



Y^\Ef\v)-E^, 



Y^\E^PiV)-E 



, (3.8) 
(3.9) 



where for any operator A we use the customary abbreviation \A\'^ = A'^ A. 



However, the impossibility proof would be true if a bound of the form (3.8) 
would be satisfied in the reverse direction, in which case one would have 



< min 

V 



j:\Ef\v) -E 



< U! I 



cb 



(3.10) 



which would correspond to the following continuity argument: if two CP maps 
are close in CB-norm, then for a given fixed Kraus decomposition for one of the 
two maps, there is always an alternate Kraus decomposition for the other map 
such that the two are close. Since as regards the cheating probabilities we have 
considered only the case of non-aborting protocols with perfect-verification, 
proving the continuity argument ( 3.10 ) or directly the bound (^) would 
means that a secure protocol can still be searched outside such class of proto- 
cols. On the other hand, finding a counterexample to Eq. ( ^.7| ) would provide 
a perfectly verifiable and unconditionally secure protocol. 



4 Discussion 



The discrepancy between the previous analysis and the analysis beneath the 
impossibility proofti is essentially due to the fact that the latter is based on 
the assumption that the starting state of the commitment protocol is openly 
known, in the sense that the probability distribution of the state is given, and 
then the corresponding mixed state can be purified. The general underlying 
idea is that the protocol should be processed by machines, and therefore all 
probability distributions are defined, and purified inside the machines. How- 
ever, such an assumption is certainly not realistic for a cryptographic protocol, 
where each party has actually the freedom of changing or tuning the machine, 
namely chosing any desired probability distribution. One can continue to 
argue on this line, asserting that changing the machine is equivalent to use 
a larger machine. However, this will be equivalent to consider infinite ma- 
chines, corresponding to uniform probabilities on infinite sets, and this would 
invalidate an impossibility proof based on a non proved continuity argument. 
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The above hill-posed mathematical framework arises from the Bayesian 
approach to secret parameters, dictated from the closed system modeling with 
fixed machines and purification of probabilities. Alternative to the previous 
approach, we have the realistic finite open system approach, in which unknown 
parameters are treated as such, without the need of any a priori probability 
distribution, in which we can address the problem for finite dimension with 
the parameter e depending on it. Then, if one proceeds by treating unknown 
parameters as such, no openly known state can be assumed, and the anony- 
mous state encoding of Yueno leads to the present classification of protocols. 
Notice that if the initial state \(p) is openly known, then for that given fixed 
states all QO's can be regarded as random unitary transformations (since all 
states are connected by unitary transformations), and this..lead to the sim- 
ple form of Alice cheating probability in terms of fidelitieslil, whereas in the 



present context the probability of cheating has the more involved form ( |3.4| ) , 
due to the fact that the state \(p) is unknown, and that there are QO's that 
don't admit random unitary Kraus decompositions. 

Finally, regarding the possibility of aborting protocols, one could always 
reasonably adopt equivalent protocols which don't abort, since the repeated 
commitment will eventually be successful. However, such kind of protocols 
will necessarily be infinite convex combinations of protocols on infinite dimen- 
sional anonymous spaces H , and again one the closed system approach would 
necessarily lead to infinite dimensions. 
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